Building Better CSIRTs Using Behavioral Psychology

Conference:  BlackHat USA 2021



The presentation discusses the challenges faced in cybersecurity due to egocentrism, complex problems, and multi-team systems. The research aims to bring more intentionality into the space to overcome these challenges and increase the effectiveness of c-cert using behavioral psychology.
  • Testing in infosec often requires an individual's skill set, leading to egocentrism.
  • Complex problems have arisen due to the simplicity that slowly scaffolded into more complex and mature adversaries who are creating these problems and more complex systems that are being developed.
  • Multi-team systems came out of the complex problems, leading to the need for a watch team, forensics team, engineering team, and more.
  • The research aims to bring more intentionality into the space to overcome these challenges and increase the effectiveness of c-cert using behavioral psychology.
  • The presentation discusses a social maturity model that talks about the social behaviors driving cert effectiveness and what the priorities are.
  • The collaboration toolkit brings structure, standardization, shared language, and shared mental models into the work.
  • Social maturity takes time and starts with assessment and awareness.
  • Tools that can be used include team and MTS charters, goal hierarchies, communication protocols, and knowledge management.
The presentation mentions that people often update their software and tools but rarely their teamwork. The framework and tools discussed aim to improve teamwork and increase the effectiveness of c-cert.


Have you ever worked on a security team where the decisions, communication, and overall team culture are dominated by one or two "rock stars"? Are constant disagreements and passive-aggression among team members hurting your ability to respond effectively? Does your high-functioning team work well together but not with other teams? This presentation will address these challenges and more based on one of the most comprehensive studies of incident response teams ever conducted, including 80+ focus groups and interviews (over 200 participants) across 17 international organizations. We will show that a lack of attention to social maturity is the main cause of these challenges and provide a framework to address them.Cybersecurity Incident Response Teams (CSIRTs) rely on technical and social skills to be successful, though we often focus on technical skills at the expense of communications, collaboration, and teamwork development. The solution, however, is not more technology to compensate for the lack of teamwork or adding more personnel to cover the gaps. Rather, it is a deliberate focus on the social abilities necessary to be more collectively effective: trust, responsible decision-making, adaptation, collaborative problem-solving, and effective communication. The right training, incentives, and feedback can enhance these skills and improve CSIRT social maturity. This lowers the barrier to entry for less experienced staff and reduces turnover in an extremely hot job market. Drawing from decades of operational experience and five years of in-depth field research by a team of experts in workplace psychology, this talk will provide a framework for applying principles of behavioral psychology to improve the social maturity of your CSIRT. We will describe tools proven by scientific research to instill and enhance the skills defenders need to work together more effectively and achieve the results we want: a consistent, reliable, and timely defense.